Information
Security protects your information from being disclosed,
modified or becoming inaccessible. Put another way - Information
Security seeks to ensure the Confidentiality, Integrity
and Availability (CIA) of Information.
Confidentiality
of Information
What would happen if your most sensitive data (personal,
sensitive data) is available for others to read? Confidentiality
provides protection against unauthorised access to such
information.
Integrity of Information
What would happen if your business critical data (accounts
database/spreadsheet) were to be changed without authorisation?
Integrity provides protection against accidental or malicious
changes.
Availability
of Information
What would happen if your business critical information
and systems became inaccessible? Availability provides protection
against loss of such systems and information.
Addressing
Security Issues
Security is best addressed by carrying out a Risk Assessment
to determine your Security Vulnerabilities and allow you
to rate them in terms of significance. You can then determine
appropriate Countermeasures and document these in a Security
Policy. The main areas to consider are:
Personnel
Security: Do you ensure that you have performed
checks on employees who have access to critical information?
Are all personnel aware of their security responsibilities?
Do your employees sign Confidentiality Agreements? Do you
have security awareness campaigns?
Physical Security: Do you ensure
that information is not physically accessible? Do you control
access to computer rooms? Do you control access to areas
where critical and personal data is stored?
Computer and Network Security: Do
you ensure that your computer systems are protected from
unauthorised access? Do you protect against viruses? Do
you implement secure access controls to your critical and
personal data?
Business Continuity and Incident Management:
Do you have a Business Continuity Plan? Do
you know how to deal with security incidents that may occur?
To support the
Security Policy and Countermeasures you should also document
any Security Procedures you need. You should review the
Security Policy on a regular basis to make sure it is kept
up to date. You should also audit against the Security Policy
and Procedures to ensure they are being adhered to.
There is a Security
Management standard (known as ISO17799 or BS7799). This
standard contains details of controls required to achieve
good levels of security. Many companies are becoming compliant
with this standard and some companies are gaining formal
accreditation to the Standard (similar to the Quality Standard
ISO9000).
